PATCH TUESDAY —

Hackers exploit critical security bugs in Adobe Flash, MS Office

Both companies advise users to install updates as soon as possible.

Adobe Systems and Microsoft have patched separate critical vulnerabilities in widely used software after receiving reports that they're being exploited "in the wild" by targeted attacks.

An update for Adobe's Flash Player—available for computers running Windows, Mac OS X, and Linux operating systems—can be installed on most systems through an automatic update mechanism. It can also be downloaded here and manually installed. Google's Chrome browser comes with a custom version of Flash that is also automatically updated.

Adobe issued the patch in an unscheduled update following two separate reports from researchers who didn't want to be named, a company spokeswoman said. The attacks are delivered in a malicious Microsoft Word document that exploits the ActiveX version of Flash Player for Internet Explorer on Windows. The parties targeted are unknown. A separate vulnerability in Microsoft's Office and various server packages is also under active attack, the company warned.

Those patches also came as Microsoft released nine updates that patch at least 26 vulnerabilities in a variety of its products, including Windows, Internet Explorer, and Exchange Server. At least one of the vulnerabilities is also being targeted in limited attacks. "Attackers have leveraged this vulnerability in limited, targeted attacks by e-mailing malicious RTF file to victims," Microsoft warned. "Victim opens RTF in WordPad or Word, triggering code execution in context of logged-on user. The vulnerability could also be triggered by browsing to a malicious webpage."